Re: [PATCH] Allow execute access to /var/lib/libvirt/qemu/ for others

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Sep 08, 2015 at 08:49:16PM +0200, Jiri Denemark wrote:
On Tue, Sep 08, 2015 at 19:07:09 +0200, Martin Kletzander wrote:
Commit f1f68ca33433 tried fixing running multiple domains under various
users, but if the user can't browse the directory, it's hard for the
qemu running under that user to create the monitor socket.

The permissions need to be fixed in two places due to support for both
installations with and without driver modules.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1146886

Signed-off-by: Martin Kletzander <mkletzan@xxxxxxxxxx>
---
This is not a problem for non-rpm installs because normal make install
will not change the permissions, it will just create the directory, so
it has 0755, but that difference is not something I'm trying to fix in
this patch.

 libvirt.spec.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libvirt.spec.in b/libvirt.spec.in
index bb8bfc3c25c1..48461e865dc8 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -2002,7 +2002,7 @@ exit 0
 %config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu
 %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/
 %ghost %dir %attr(0700, root, root) %{_localstatedir}/run/libvirt/qemu/
-%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/
+%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/

Seems OK, but are we sure every file created in that directory uses 007
mask? Otherwise, we would be opening a hole here...


To be honest I haven't checked that.  I'm relying on the fact that
RPM-based installations are the only ones that get their permissions
for others cut down, hence all normal installations would be broken
already.  Looking at the monitor socket for example, it might've been
a problem, but it's pre-existing to this patch (again, for
non-RPM-based installations).  We could fix this by restricting the
per-VM directories' permissions when creating them.  There's also one
more problem, that the default permissions are also 755 for channels,
that should be fixed as well, it it really is a problem now.
Although, if using SELinux, I think the problem is either not there or
way less problematic.

What's your view on that?

Jirka

Attachment: signature.asc
Description: PGP signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]